The Mobile Core Becomes the Agent Control Plane
The May 2026 arXiv paper AgentxGCore: Agentic AI for Next-Generation Mobile Core Network, by Maria Katarine Santana Barbosa and Kelvin L. Dias, moves LLM agents from office workflows into the operational heart of telecom infrastructure.
From Network Management to Network Action
The paper, arXiv:2606.00417 [cs.NI], was submitted on May 29, 2026 and the arXiv record says it has been accepted for publication in IEEE Network. The authors frame the next-generation mobile core as a place where AI is no longer only a prediction layer. The core network handles mobility management, connectivity, session management, policy control, and data analytics. If an agent can act through that layer, it is participating in telecom operation.
Barbosa and Dias call their proposal AgentxGCore: an agentic AI-native layer for the beyond-next-generation core, or xGC. It extends the 3GPP architecture by using existing APIs and building a closed loop for real-time optimization, self-organization, and self-adaptation. The immediate technical aim is intent-based networking: an operator states a goal, and the system plans and executes network actions to satisfy it.
This is adjacent to runtime governance for production agents and intent-governed tool authorization, but the blast radius is different. A tool call in a telecom core can alter policy rules, session handling, user-plane functions, and quality-of-service behavior for live traffic.
Planner, Executor, and Tools
The proposed architecture divides work between specialized agents. A network planner agent reads the current network state, evaluates whether the operator's intent is already being met, and develops an action plan when it is not. A network executor agent criticizes the plan, identifies the tools needed to carry it out, and triggers those tools through the system.
The tool layer matters. The paper describes an MCP server that exposes mechanisms for discovering and integrating network tools, allowing the agent layer to identify and invoke 3GPP and management-orchestration APIs. Agent coordination follows an Agent-to-Agent pattern, with planner and executor exchanging structured plans and execution feedback. In other words, the agent is not merely advising a network engineer. It is being wired into the control loop.
The monitor tools combine 3GPP observability with management data from systems such as Prometheus and Kubernetes. They can include network metrics, virtual network function state, CPU and RAM usage, AI tools for traffic prediction, and external contextual sources. The executor tools can modify network functions, allocate resources, update Policy Control Function rules, and modify Session Management Function behavior.
Case Study as Warning
The case study is concrete. The authors implement AgentxGCore as an extension of the OpenAirInterface 5G Core in a Docker-based environment. They expose control-plane configuration management through 3GPP APIs for the PCF and SMF, use Prometheus APIs for observing available function instances and utilization, and add a Gated Recurrent Unit model that predicts downlink traffic over a 10-second horizon.
The scenario concerns user-plane function allocation under heterogeneous traffic. The paper uses data flows including cloud gaming, live streaming, and video on demand, then evaluates execution time, average downlink throughput, and round-trip time. It compares Gemini Pro 2.5, Gemini Flash 2.5, GPT-4.1, and GPT-4.1 Mini as the LLMs used by the agentic core.
The result is a caution against equating larger models with better infrastructure control. The authors report that GPT-family models achieved the lowest execution times but appeared to underuse tools and deviate from the target throughput. They also report that GPT-4.1 and Gemini Pro 2.5 struggled with simple continuous tasks, while Gemini Flash was more effective for this automation scenario. The governance lesson is not "use one named model." It is that infrastructure agents need task-specific operational evaluation, not brand trust.
Security Is the Control Plane
The paper's open research issues are the part operators should read first. Barbosa and Dias warn that generic models can fail at planning or hallucinate, making the system ineffective or slower to converge. They also say granting agentic AI full network control can lead to repeated activation and deactivation of network functions and interruptions to PDU sessions.
Remote models introduce a different boundary. Sending contextual network information to external servers can expose internal policies, performance metrics, and user information. Local models reduce some exposure but create latency, hardware, update, and operational-cost problems. The paper therefore names hybrid strategies, local servers, anonymization, encryption, prompt engineering, limited tool functionality, human-in-the-loop mechanisms, and fine-tuning as relevant controls.
This belongs beside embedded agent fleets and device attestation. The telecom version is harsher because the network is already an authority system. It authenticates subscribers, routes sessions, applies policy, and carries location-sensitive communication. An agentic core cannot be governed as a helpful assistant. It has to be governed as a control-plane participant.
Governance Standard
A mobile-core agent should never be certified by answer quality alone. Its safety case should name the intents it may accept, the APIs it may call, the network functions it may modify, the time horizon of each action, the rollback path, the human approval rules, the subscriber-data boundary, and the logs needed to reconstruct every plan, critique, tool call, and resulting network state.
Operators should separate suggestion, staged execution, and live execution. A planner may propose a UPF allocation plan; an executor may validate it in a simulator; a production loop may apply only bounded changes with rate limits and circuit breakers. Remote LLM access should be treated as a data-export event, not just an inference choice. Local inference should be treated as critical infrastructure, not just a privacy feature.
The Spiralist rule is simple: when the mobile core becomes an agent control plane, availability, privacy, and accountability become the same problem. The question is not whether an agent can optimize a slice. The question is whether the operator can prove who authorized the intent, which model planned it, which tools executed it, which users were affected, and how the network can be returned to a known-good state.
Sources
- Maria Katarine Santana Barbosa and Kelvin L. Dias, AgentxGCore: Agentic AI for Next-Generation Mobile Core Network, arXiv:2606.00417 [cs.NI], submitted May 29, 2026.
- arXiv experimental HTML for AgentxGCore: Agentic AI for Next-Generation Mobile Core Network, reviewed June 24, 2026.
- Related pages: The Agent Runtime Becomes the Governance Plane, The Tool Scope Becomes the Intent Gate, The Embedded Agent Becomes the Device Fleet, The Device Attestation Becomes the Trust Layer, and The AI Bill of Materials Becomes the Supply Chain Map.